Session Initiation Protocol (SIP) Vulnerabilities
Mark D. CollierChief Technology OfficerSecureLogix Corporation
What Will Be Covered
Introduction to SIPGeneral SIP securitySIP vulnerabilities and attack toolsRecommendationsLinks
SIP Introduction
Session Initiation Protocol (SIP):Is a general-purpose protocol for managing sessionsCan be used for any type of sessionProvides a means for voice signalingDefined by the IETF (looks like an Internet protocol)Resembles HTTPASCII requests/responses
SIP Introduction
Why is SIP important:Generally viewed as the protocol of the futureDesigned to be simple (it’s not) and extensibleSupported by major vendors (sort of)Used by many service providersProvides a foundation for application supportWill be used for public VoIP access
SIP Introduction
InternetConnectionInternet
Voice VLAN
PublicVoice
NetworkIP
PBX
SIP TrunkTDM Phones
IP Phones
Data VLAN
PCs
SIP Components
User AgentsProxy
SDP Codecs
UDP
RTPRTCP
SIP
TCP
IPv4 IPv6
SIP Call Flow
SIP/SDPUDP/TCP
RTP/RTCPUDP
Proxy
User
Proxy
User
SIP/SDPUDP/TCP
SIP/SDPUDP/TCP
SIP Vulnerabilities
Security issues with SIP:SIP is a complex, free format protocolSIP itself does not require any securitySecurity mentioned in SIP RFC, but not requiredSecurity degrades to common feature setSecurity is not mandatory even if availableUDP is commonly used for SIP transportNetwork Address Translation (NAT) breaks securityData firewalls do not monitor SIP
SIP Vulnerabilities
SIP-Specific Vulnerabilities:EavesdroppingGeneral and directory scanningFlood-based Denial of Service (DoS)Fuzzing Denial of Service (DoS)Registration manipulation and hijackingApplication man-in-the-middle attacksSession tear downcheck-sync rebootsRedirect attacksRTP attacksSPIT
EavesdroppingProxy
User
Proxy
UserAttacker
Eavesdropping Tools
Eavesdropping Tools
Eavesdropping Tools
General/Directory ScanningProxyProxy
Attacker
INVITE, OPTION, orREGISTER
Requests
General Scanning ToolsNmap has the best VoIP fingerprinting database
nmap -O -P0 192.168.1.1-254Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-02-20 01:03 CSTInteresting ports on 192.168.1.21:(The 1671 ports scanned but not shown below are in state: filtered)PORT STATE SERVICE23/tcp open telnetMAC Address: 00:0F:34:11:80:45 (Cisco Systems)Device type: VoIP phoneRunning: Cisco embeddedOS details: Cisco IP phone (POS3-04-3-00, PC030301)Interesting ports on 192.168.1.23:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:15:62:86:BA:3E (Cisco Systems)Device type: VoIP phone|VoIP adapterRunning: Cisco embeddedOS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone AdapterInteresting ports on 192.168.1.24:(The 1671 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open httpMAC Address: 00:0E:08:DA:DA:17 (Sipura Technology)Device type: VoIP adapterRunning: Sipura embeddedOS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway
General Scanning Tools
Directory Scanning Tools
Directory Scanning Tools
Linux tools:dirscan – uses requests to find valid UAsauthtool – used to crack digest authentication
Denial of Service
Media Gateway
Media Gateway
Every ComponentProcessing
Signaling or MediaIs A Target
Proxy Proxy RegistrarRegistrar
User User
FW/NAT FW/NAT
Flood-based Denial of Service
SIP Phone
FloodApplication
On PC
INVITE, REGISTERFloods
SIPProxy
SIP Phone SIP Phone SIP Phone
Flood-based Denial of Service Tools
Flood-based Denial of Service Tools
Linux tools:inviteflood – floods target with INVITE requestsregisterflood – floods registrar with REGISTER requests
Fuzzing Denial of ServiceINVITE sip:[email protected]:6060;user=phone SIP/2.0Via: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa…From: UserAgent<sip:[email protected]:6060;user=phone>To: 6713<sip:[email protected]:6060;user=phone>Call-ID: [email protected]: 1 INVITESubject: VovidaINVITEContact: <sip:[email protected]:6060;user=phone>Content-Type: application/sdpContent-Length: 0
Fuzzing Denial of Service Tools
Linux tools:protos SIP test suite
Commercial tools:Codenomicon
Registration ManipulationProxy
User
Proxy
UserAttacker
Erasing, Adding, orHijacking aRegistration
Registration Manipulation Tools
Registration Manipulation Tools
Linux tools:erase_registrations – removes a registrationadd_registrations – adds one or more bogus registrations
Registration HijackingProxy
User
Proxy
UserAttacker
HijackedSession
HijackedMedia
Registration Hijacking Tools
Linux tools:reghijacker – hijacks a registration, even when using authenticationauthtool – cracks digest authentication
Application Man-in-the-middle
User UserAttacker
Attacker
Proxy
Attacker PlacesThemselves
Between ProxiesOr Proxy/UA
Proxy
Application Man-in-the-middle Tools
Linux tools:sip_rogue – rogue SIP proxy or B2BUA
Session Tear Down
Attacker SendsBYE Messages
To UAs
Attacker
Proxy Proxy
User User
Session Tear Down Tools
Linux tools:teardown – used to terminate a SIP call
Check-sync Reboot
Attacker Sendscheck-sync Messages
To UA
Attacker
Proxy Proxy
User User
Check-sync Reboot Tools
Check-sync Reboot Tools
Linux tools:check_sync – causes a SIP phone to reboot
Redirection
Inbound CallsAre Redirected
Attacker
Proxy Proxy
User User
Attacker Sends“301/302 – Moved”
Message
Redirection Tools
Linux tools:redirector – used to redirect calls from a SIP UA
RTP/Audio Injection/Mixing
Attacker ObservesRTP and Injects or
Mixes in New Audio
Attacker
Proxy Proxy
User User
RTP/Audio Injection/Mixing
Linux tools:rtpinjector – monitors an RTP session and injects or mixes in new audio
SPIT
SPIT Tools
Linux tools:Asterisk – a free, easily installed SIP PBX that makes it easy to generate SPITspitter – a tool that creates SPIT files for Asterisk
Links
www.hackingvoip.comSIP attack tools –ethereal – www.ethereal.comwireshark – www.wireshark.comSiVuS – www.vopsecurity.orgCain and Abel - http://www.oxid.it/cain.htmlFuzzing - http://www.ee.oulu.fi/research/ouspg/protos/index.htmlCodenomicon – www.codenomicon.comAsterisk – www.asterisk.orgTrixbox – www.trixbox.org
Recommendations
Establish policies and proceduresFollow best practices for data securitySecure the platforms, network, & applicationsUse standards-based security, such as TLS and SRTPUse SIP firewallsContinue to protect legacy networksUse knowledgeable security consultants, to design,test, and secure your network
Key Points to Take Home
SIP is an important VoIP protocolSIP will be used for public VoIP accessSIP is vulnerable to attacksThere are tools available to implement these attacksThere are steps you can take to improve security
Contact:Mark D. [email protected](210) 402-9669
QUESTIONS?